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Abstract 


The difficulties of verifying concurrent programs lie in their inherent 
non-determinism and interferences. Rely-Guarantee reasoning is one 
useful approach to solve this problem for its capability in formally 
specifying inter-thread interferences. However, modern verification 
requires better locality and modularity. It is still a great challenge to 
verify a message-passing program in a modular and composable way. 

In this paper, we propose a new reasoning system for message- 
passing programs. It is a novel logic that supports Hoare style triples 
to specify and verify distributed programs modularly. We concretize 
the concept of event traces to represent interactions among distributed 
agents, and specify behaviors of agents by their local traces with regard 
to environmental assumptions — an idea inspired by Rely-Guarantee 
reasoning. Based on trace semantics, the verification is compositional 
in both temporal and spatial dimensions. To show validity, we apply 
our logic to modularly prove several examples. 
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1 Introduction 


With the blossom of multi-core processors and large scale network commu- 
nication, concurrency has become a crucial element in software systems. 
According to the ways of inter-thread communication, in general, there are 
two concurrent models: shared memory and message-passing. Applications 
using either of the two models are notoriously difficult to be verified because 
of non-deterministic interleaves of memory accesses or message passing. 


1.1 Separation Logic and Rely-Guarantee Reasoning 


Separation Logic (SL) is introduced by Reynolds et al. (e.g., [19]) for 
specifying and verifying programs which manipulate states with complex 
structures, especially the pointers and data structures. The key idea of SL 
is to include in the logic language some connectors to describe explicitly the 
separation of parts in the program states. By migrating the ideas of SL, 
verification of shared memory models has gained great progress. Some new 
logics have been developed and their power has been well respected, e.g., 
Concurrent Separation Logic (CSL) [2], concurrent abstract predicate [5], 
and lots of other separation-based reasoning [20, 21]. 

Separation Logic supports local reasoning for separated parts of pro- 
grams states. For the concurrent programs, when different threads reside in 
separated regions, their state separation enables local reasoning naturally. 
However, despite of state separation, the core feature of concurrency is the 
interferences among separated threads. Thus, for the formal reasoning, the 
crucial difficulty is how to formally specify and verify the interferences. 

One pioneer work in this area is Rely-Guarantee (RG) reasoning [8]. In 
RG reasoning, the specification of a program D takes the form of: 


R,Gr {p} D {aq} 


where R and G are the rely and guarantee conditions respectively; p and 
q are pre- and post-assertions for D’s local state. In the specification, R 
specifies the set of state transitions that the environment (the other threads 
in the program) could apply to the local state of D. Since environmental 
behavior is non-deterministic, p and qg are required to be stable under the 
interference of R, that is, no matter how local states transit caused by the 
environment, the validity of p and q is fixed. On the other hand, G represents 
the set of all possible state transition that are caused by the local execution 
of D. 
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One group of distinguished idea in this area is the combination of Sepa- 
ration Logic and Rely-Guarantee reasoning, e.g., SAGL [6] and RGSep [20]. 
For instance, the parallel composition rule in RGSep takes the following 
form: 

[G2] S [RiJ Ri, Gib {pi} Di {a} 
[Gi] C [Re] Re, Get {pe} Do {a2} 
R11 Re, G1 UGo— {pi * po} D1||Do {a * qa} 


where |e] denotes the semantics of e, and « is the separating conjunction 
operator that specifies separated states [19]. This rule says that two programs 
are compatible with each other when they mutually include the other one’s 
guarantee condition in their rely condition. The rely condition of the 
combined program is the intersection of R, and R2, and the guarantee 
condition is the union of G, and Gp. 

As presented, existing methods that applies RG reasoning to shared 
memory still encounter several problems that greatly impede its application: 


e Pre- and post-assertions are confined by the “stable” requirement, 
which is quite strict that forbids users from writing assertions freely. 


e The rely and guarantee conditions are globally predefined. This require 
users to carefully consider all system behavior details beforehand, which 
cannot be changed during reasoning. 


In the rest of the paper, we apply RG reasoning to message-passing 
model, which addresses the above problems. 


1.2. Lamport’s Graph Model 


Like SAGL and RGSep, many state-based verifications of shared memory 
concurrency have been studied. But for message-passing models, although it 
have been extensively studied using various process calculi [7, 14, 16], fewer 
Hoare-style state-based reasoning systems are developed, especially systems 
supporting modular reasoning. These are the main focus of our work. 

To develop such a verifying system, the first step is to define a model 
for the program states. In this paper, we choose the classic Lamport’s 
event graph [10]. Lamport introduced event graphs (or event traces) as a 
representation for the semantics of message-passing programs. Event graphs 
are essentially Directed Acyclic Graphs (DAGs) composed by nodes and 
directed arrows, where nodes represent atomic actions (e.g., send/receive 
events), and directed arrows represent inter-agent communications. Each 
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event graph defines implicitly a partial order — happens-before, denoted by 
~< — among nodes, which is the transitive closure combined of agents’ local 
order and directed arrows, to reveal the causality relation among events. 
This order will be formally defined later. 


1.3. Our Approach 


In terms of formal verification, for any semantics based on event graphs, 
one crux is to modularly specify graph structures. As a graph represents a 
collection of ordered and correlated events (nodes), the modularity could 
only be achieved when we can carve out irrelevant events in reasoning a local 
behavior. To make this possible, we view the structure of an event graph 
from two dimensions: the spatial dimension and the temporal dimension. 
We introduce a separating conjunction operator, *, to depict the spatial 
dimension by specifying separated traces; and an operator, o, to represent 
sequential conjunction, which defines the temporal dimension based on 
happens-before relation <, and takes a stronger condition than the spatial 
one. 

Our logic adopts the Hoare style triples to specify message-passing 
programs, and makes local reasoning of the programs a reality. Generally, 
the semantics of a set of agents D is specified by a triple as follows: 


{r,p} D {r', g} 


where r and r’ specify D’s expectations (or assumptions) about its environ- 
ment (i.e., the behaviors of other agents, similar to the rely condition in RG 
reasoning), and p and q specify the local states (changes) of D. The reasoning 
of D relies on its environmental assumptions, and the local behaviors of D 
are required to be correlated with its environmental expectations. Local 
agents are able to dynamically calculate and strengthen its environmental 
assumption in r’ in order to fulfill certain local function that are specified. 
On the other hand, the other agents should satisfy the expectation of D in 
order to parallel composite with D. 

We present the proof of a tiny example to show the deduction of our 
system and how the spatial and temporal modularity is achieved. We take 
the following simple program as the example: 


send (2, pt); 


1 xX := recv (pt); 
send (3, pt); 


recv (pt); 


Rely-Guarantee Modular Based Reasoning for 


Message-Passing Programs 


221 


1. {empi,, emp,,} 
. {pt!X, emp;,} 

x := recv (pt); 
3. iptlX oY Ag=¥} 
4. {pt!2,pt?Y Ax =Y} 
5. {pt!2, pt?2\ x = 2} 


is) 


6. {emp,,, emp, } 
recv (pt); 
7. {pt!3, pt?3 A y = 3} 


yr 


8. {pt!2, pt?2} 
y := recv (pt); 


9 pt!2 o pt!3, 
"| pt?2 0 pt?3Ay=3 


12. {emp;,; emp,,} 
13. {empi,, empy, } {emp,,, emp;,} 
10. temPy,, dei oye send (2, pt); 1 x := recv (pt); 
= “a anaes a send (3, pt); y := recv (pt); 
(ade ae Pee 14. {emp,,, pt!2 o pt!3} {see line 11} 
; oe FS 2Ay=Ss 
11. (pt?2 0 pt?3) 15. emp,,, ; e s \ 
Acatne* A ((pt!2 0 pt!3) * (pt?2 o pt?3)) 


Figure 1: Modular Proof of a Tiny Example 


The left agent sends messages 2 and 3 to the port pt sequentially, and the 
right agent is the owner of pt, who withdraws the messages and stores them 
into its local variable x and y respectively. 

The proof given in Fig. 1 is modular, because the system is proved 
agent by agent, and an agent is separately proved command by command. 

Lines 1 — 5 are the proof for the first receive command: It starts from 
{emp;,,emp;,}, where no assumption for the environment is made (the first 
emp;,) and no local action is taken (the second emp,,). Then in line 2, 
we assume the environment sends message X to pt (pt!X), where X is an 
implicitly existential-quantified logical variable and its scope is confined 
within the environmental part. After executing the receive command, there 
is a receive event in the local state (pt?Y A a = Y), where Y is existential- 
quantified to represent the message received and its scope is the local state. 
Line 4 is deduced from line 3 by strengthening the environmental assumption 
(pt!2 = 4X - pt!X); and line 5 comes because a receive should match with 
its sender (pt!2 * pt?¥Y > Y = 2). 

The other receive is proved separately (lines 6 — 7) which is similar as 
lines 1 — 5. Lines 8 — 9 are obtained from lines 6 — 7 by adding a “frame’ 
— pt!2 x pt?2 — ahead of current event graph, where pt!2 is added ahead of 
the environment, and pt?2 is ahead of the local state. Note that the frame 
does not affect existing proofs and program state. The “ahead of” relation is 
formally called “happens-before”, which is served by the operator “o”. We 


d 


3This form of writing is just for easy understanding, precisely it should be pt?Y ue pt?2, 


which will be formally discussed in Section 5. 
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can add another frame “x = 2” to the local state in line 8 and 9 in order to 
ensure line 8 is the same as line 5. This step is trivial and thus omitted. 

Having the proofs for the two receives, the whole specification of the 
first agent is obtained by sequentially combining the two proofs (lines 10 — 
ie 

The specification of the sending agent shown in lines 13 — 14 is trivial 
and needs no explanation. The composition for the two agents is shown 
in lines 12 — 15. In line 15, the environmental assumption of the receiver 
(line 11) is satisfied by the local state of the sender (line 14), therefore, the 
environmental part of line 15 is emp;,. The local part of line 15 is just the 
composition of local state of both agents. 


1.4 Contributions 


In summary, the logic we developed in this work makes the following contri- 
butions: 


e It concretizes the concept of event graph [10] to represent the interac- 
tions among agents, and proposes a set of trace predicates to specify 
the properties of traces. 


e It supports two-dimensional modularity: temporal modularity, as 
shown by the separated proofs of the receives in above example; and 
spatial modularity, as shown by the separated proofs of the agents. 


e Each agent can be proved locally with suitable explicitly calculated 
assumptions about its environment, and proofs of separate agents can 
be combined as long as their local behaviors could mutually satisfy the 
environmental assumptions of their partners. 


e Comparing with classic RG reasoning, our method removes the stability 
requirement of pre/post-assertions, and allows dynamically calculate 
environment assumption. These relaxation strongly ease the burden of 
users. 


This article extends the conference paper which is presented in ICTAC 
2014 [11]. There are two major improvements. First, we significantly expand 
the details for reasoning distributed programs that exhibits non-deterministic 
behaviors. Second, we prove another message-passing algorithm — leader 
election — to further validate our theory. 
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In the rest of the paper, we give a formal definition of event trace, 
and present a trace algebra for separating and sequential conjunctions in 
Section 2; and a formal presentation for the model and operational semantics 
in Section 3. The assertion language for specifying trace structures and 
the reasoning logic was presented at Sections 4 and 5. Formal semantics 
are presented and proved in Section 6. Section 7 specifically shows the 
application for proving non-deterministic programs. Sections 8 and 9 give 
case studies, and Section 10 discusses the related work and concludes. 


2 Event Trace — the Basic Program State Settings 


A distributed system is composed by a set of agents*, which are run concur- 
rently. Each of the agents represents a computational process that can own 
several ports for receiving messages. In our setting, each port belongs to 
one agent, while an agent can own multiple ports. We adopt asynchronous 
message passing: send commands will not be blocked, while receives will be 
blocked if there is no message received on the designated ports. We assume 
the state of a port is a queue, and messages are transmitted following the 
FIFO-principle [3]. 


2.1 ‘Traces 


We use event graphs [10] to depict the semantics of distributed programs. 
The left part of Fig. 2 shows the trace of a program execution, where solid 
nodes represent send events and hollow nodes are receives. The picture also 
reveals that event traces are time-space graphs, where space is measured by 
agents, and time is measured by agent local orders and inter-agent arrows 
(which represent inter-agent communications). 

The state of traces is defined formally in Fig. 2 (right part). Each event 
is represented by a tuple with four components, and referred by a unique 
reference e. A trace tr is a map from event references to its corresponding 
event, tr(e) = (m, pt, pd, sd). In an event, component m (referred by e.val) 
and pt (referred by e.port) are the value and port for the message respectively; 
pd (referred by e.pred) is e’s local direct predecessor; and sd (referred by 
e.src) refers to e’s corresponding send event when e is a receive. If e is the 


“The agent might be called process, or thread, etc. in other works. We will use the 
name agent consistently in this work. 
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Agent 1 Agent 2 Agent 3 
Value = Int AgntID = Nat Port, EvntID : Discrete Types 


(Event) (m,pt,pd,sd): Val x Port x EvntID U {AgntID} 
x EvntID U {nil} 


a (Evnt Tre) tr : EvntID —¢, Event 


Figure 2: Trace State 


first event of an agent, e.pred is the agent ID where e lives in; and e.src = nil 
if e is a send event. 
We use isSend(e) and isRecv(e) to specify the type of e: 


isSend(e) 1 este = nil isRecv(e) 1 src # nil 


We recursively define a function agent(e) to return the agent ID of the 
event referred by e: 


def e.pred e.pred € AgntID 
SS { agent(e.pred) otherwise 


2.2 Well-formed Traces 


Event traces are specific structures to record the communicating history 
among agents. In this section we present an axiomatic definition of traces. 
As Lamport postulated [10], events are partially ordered by happens-before 
relation ~<. 


Definition 1 (Happens-Before) The happens-before relation of tr, <, 


is: 
def 

€~<stpe = e=e'.predVe=e'-src 

def 

exe = del rex eo’ Ae’ Saige € } 


where {e, e’} C dom(tr) 


Based on Def. 1, we define six axioms to specify well-formed traces. 
Axioms 1 — 4 are general axioms which are proposed originally in [1]; axioms 5 
— 6 are specifically proposed for our model. We use tr to denote an event 
trace. 
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Axiom 1 tr is self-closed: 


Ve € dom(tr) - e.pred ¢ AgntID => e.pred € dom(tr), and 
Ve € dom(tr) - e.src # nil => e.src € dom(tr). 


Axiom 2 Happens-before relation < is strongly well founded. There exists 
a function f : dom(tr) + Nat such that: 


Ve,e' € dom(tr)-e < e = fle) < f(e’). 
Axiom 3 Maps e.pred and e.src are injective: 


Ve, e’ € dom(tr) - e.pred = e’.pred > e =e’, and 
Ve, e’ € dom(tr) - e.src = e/.src A e.src £ nil > e =e’. 


Axiom 4 The send field of a receive event refers to its corresponding send 
event: 


,  e.src =e! /\ isSend(e’) 
/ eval = e’.val A e.port = e’.port. 


Ve € dom(tr) - isRecv(e) => Je 


Axiom 5 Communications are robust that there is no lost message. Let ey 
and eg be two send events: 


€1 ~ €2 A ey.port = eg.port A Fes - eb.src = eg => Fe}, - ef.sre = e}. 


That is, if e2 is received, all send events that happen before eg on the same 
channel must have been received. 


Axiom 6 Messages are sent and received by the FIFO principle. Let e, and 
en be two send events: 


€, ~ €2 A €y.port = e2.port A e}.src = e1 A eb.src = €2 > 7(e5 ~ e}). 


We use Aj,...,A6 to represent the above axioms, and A to denote 
their conjunction: A = Ai A...A Ag. 


Theorem 1 Let Prop be the type of propositions over tr, then for all P : 
EvntID — Prop: 


(Ve’- (Ve-e<e' A P(e) > P(e’))) > Ve- P(e) 
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Theorem 1 is the induction over event traces: take any event e’ in the trace, 
if all events that happen before e’ satisfy P leads the truth of P at e’, then P 
holds all over the trace. This theorem is useful in proving complex properties 
over traces and also application in our method; [1] gives many examples 
showing its usage. 


Definition 2 (Well-formed Trace) Trace tr is well-formed, WF (tr), iff 
there exist tr’ and tr” such that: 


tr’ =trwtr® Atr" EA 


That is, any well-formed trace, tr, is a sub-trace of some “complete” trace 
tr” such that tr” entails A. 

In our model, events stand for the atomic actions for sending/receiving 
messages. Local actions, e.g., variable assignment, control flow execution 
etc., are not recorded as events in the graph. Axioms and theorems in this 
section are crucial for trace implication, e.g., p => q. 


2.3 Trace Separation and Algebra 


To structurally specify event traces, we introduce two operators, separating 
conjunction * and sequential conjunction o, where: 


tr, * trg is the union of all the events in tr; and tra as long as tr; and tra 
contain disjointed set of events: 


, def 


tr«tr’ =trwtr’ iff WF(trWtr’) 


tr, o tr returns tr; * tra if three additional conditions hold: (1) no event 
in tre happens before any event in tr;; (2) if e: (€ tri) and eg (€ tre) 
send messages to the same port, then e; happens before e2; and (3) if 
e1 (€ tri) and eg (€ tr) receive messages from the same port, then e1 
happens before eg. 


trotr’  tretr’ iff Vee dom(tr), e’ € dom(tr’)- 
a(e’ ~ e) A (isSend(e) A isSend(e’) A e.port = e’.port = e < e’) 
/\ (isRecv(e) A isRecv(e’) A e.port = e’.port > e < e’) 


5fWg is the union of f and g but requires that f and g have disjointed domains. 
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try =tro => tr, * tr3 = tro * tr try *trg = tro «try 
tr, *trg = tr, * tr3 > tra = trz tr =tr, otra > tr =tr, *« tre 
tr, 0 (trg otrs) = (tr, o tre) otrs tr, * (tra * tr) = (tr, * tre) * trs 


tr = tr, 0 (tro ¥ irs) => tr = (tr Otro) * trs 


tr = (ri # tro) irs => Of = (ri otra) Fir 


Figure 3: Selected Properties for Traces 


In [22], Wehrman et al. defined another semantics for tr o tr’, which 
only requires events in tr’ do not happen before events in tr. Our semantic 
definition of sequential composition is stronger. Take the trace (pt!88 o 
pt!14) « (pt?a o pt?y) for instance, we can deduce x = 88 A y = 14 with the 
additional conditions, otherwise the x = 14 A y = 88 is permitted as well. 

The two operators satisfy certain commutative and associative laws. 
Fig. 3 lists some selected properties for trace structures, which are sound 
based on the semantics. 


3 Programming Language 


In this section, we define the programming language used for constructing 
the distributed programs (system models) and its operational semantics. 

Fig. 4 gives the syntax of the language. We use FE and B to denote 
numerical and boolean expressions. Command send (F, pt) sends message 
E to port pt; and x := recv (pt) withdraws a message from pt and stores it 
into the local variable x. A distributed program is a parallel composition 
of agents C;, where each agent is tagged with a unique agent ID (21,..., 7% 
in Fig. 4). For simplicity, we don’t consider memory management in our 
model. 

The program state is defined in Fig. 5. We choose the simplest setting 
that defines the state composed by only a store s and a trace tr, where s 
maps variable names to values, and tr is already defined in Fig. 2. 


The operational semantics is defined by a set of rules which describe 
configuration transitions caused by the program execution. These rules take 
the following form: 


(D,s,tr) ~ (D’, 5’, tr’) 
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(Expr) Eo o:= «|X|n|E+E|E-E |... 

(BExp) B ::= true|false| E=E|EFE|... 

(Comd) c := w:=E| skip |send(£,pt) | x := recv (pt) 
(Stmts) Co := c|Cj;C2| while B do C | if B then C; else C2 
(Prog) (Dis) 42] || 453 [tg Ce 


Figure 4: The Language 


Loc = Int Var: Discrete Type 


(Store) s : Var —gn Value 
(EuntTrc) tr:  EvntID —g, Event 
(State) G 2S (er) 


Figure 5: State Definition 


If there is only one agent i (D =i: C), the transition can take the form of: 
(C,s,tr) ~; (C’, s’, tr’) 


Fig. 6 gives the operational semantics. In the rules, {i1 : v1;...3%n : Un} 
denotes a function f with dom(f) = {t1,...,in} and f(ij) = vj; fix & v} 
remaps x of f to v; fg is function union when dom(f) Mdom(g) = 2; [E]s 
and [B], evaluate the numerical and boolean expressions based on store s. 

In order to construct valid traces, each new event should be linked to its 
predecessor — the last event of the current trace. Function last(tr,7) returns 
the last event of agent 7 in tr. If there is no event at agent i, then the 
function returns “2” since the e.pred field of the first event is an agent ID. 
Since all events on a same agent are totally ordered by the happens-before 
relation ” <”, last(tr,i) always return a unique element. 


P i {e € dom(tr) | agent(e) =i} = @ 


4 d 
last(tr,7) = max 2 ES dom(tr’) otherwise 
2 A agent(e) =i 


For receive events, since the model adopts FIFO message passing rules, a 
new receive should match with the oldest message remaining in the designated 
port. We define a predicate fstUnMchd(e, tr, pt) to state that e is the first 
pending send event on port pt, that is, e is a send event on pt which has 
not matched with a receive yet, and no other unmatched send event on pt 
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[EZ], =n [E]; undefined 
(x := E,s,tr) ~»; (skip, s{z% n},tr) (@:= E,s,tr) ~; abort 


fstUnMchd(e, tr, pt) eval=n e! =last(tr,i) e” ¢ dom(tr) 
(x := recv (pt), s, tr) ~»,; (skip, s{z % n}, tr w {e” : (n, pt, e’, e)}) 
[E], =n e=last(tr,i) e ¢ dom(tr) 
(send (EF, pt), s,tr) ~»; (skip, s, tr W {e’ : (n, pt, e, nil)}) 


[LE]; undefined [B]; = true 
(send (EL, pt),s,tr) ~»; abort (if Bthen C, else Co, s, tr) ~; (Ci, s, tr) 
[B]. = false 
(if B then C; else Co, s, tr) ~; (C2, s, tr) 

[B], = true 

(while B doC, s,tr) ~»; (C; while B doC, s, tr) 

[B], = false (D,,0) ~ abort or (D2,c) ~ abort 
(while B do C,s,tr) ~+; (skip, s, tr) (D; || Dz, 0) ~ abort 
(Di, 0) ~ (Dj,0") (D2,0) ~ (D3, 0") 


(Di || D2,0) ~ (Di|]D2,0°) (Di || D2.) ~ (Dill D2, 0’) 


(C1,0) ~i (C{, 0") (C1,0) ~; abort 
(C1; C2,0) ~4 (Ci; C2,0°) (C1; C2, 0°) >; abort (skip; C,a) ~; (C,o) 


Figure 6: Operational Semantics 


happens before e. Formally: 


rcvd(e, pt) es isSend(e) A de’ - e’.src = e 


e 


fstUnMchd(e, tr, pt) def arcvd(e, pt) \ ae’ - (=revd(e’, pt) A e’ ~ e) 


Semantics of local primitives, e.g., assignment, control flow commands 
are regular. Rules for send and receive primitives are added, which create 
new events in the trace. For a receive command, it should find the first 
unmatched send event on the port in tr according to fstUnMchd(e, tr, pt), 
then create the corresponding receive event and add it to the trace. 

For the semantics, we have the following result: 


Theorem 2 Let (D,o) be the initial state, and oj, is the trace component 
of o, then the execution traces of any distributed program would entail A: 


((D, 0) ~* (D',0')) Nom RA = oy FA. 
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emp, iff dom(tr) = 2 (s,tr) true, iff WF (tr) 

ae iff [|B], = true 

dn,e-[E]. =n A dom(tr) = {e} Atr(e) = (n, pt, -, nil) 
n,e-[E], =n A dom(tr) = {e} A tr(e) = (n, pt, -, anil) 


/ / : / / 
soriah ae el (sWs',tr«tr’) if sWs' Atr x tr’ defined 
(s, tr) 8 (8, tr") { undefined otherwise 
f trotr’) if s=s' Atro tr’ defined 
t 1 nt) del (s, 

(s, tr) © (s', tr’) undefined otherwise 

tr* pe @UtrUtrotru... 

o* S (s,tr*) where o = (s,tr) 


01,02:01W02=0AN Epi AoE po 
01,02°01002=0A0, — pi Aor F po 


oF pi * p2 iff 
oF pi op. iff 


o  p* i dee a pAc=o> oc aap iff oF p 
GE pha iW eR phohg oFp=>q iff ifoEp,thnokgq 
oF AX -p iff dn € Val-o — p[n/X] 


Figure 7: Semantics of Assertions 


4 Assertion Language 


This section defines the assertion language for event traces. We assume an 
infinite set of logical variables LVar = {X,Y,...}. The assertion language is 
a mixture of store predicates, and trace predicates with the following syntax: 


6.9 2 eS | ESE) sc (store predicates) 
| emp,, | truet | pt!E | pt? E (trace predicates) 
|=p|pAq|AX-p|pxq|poq|p* |... (connectives) 


The semantics of assertions is defined in Fig. 7, where emp,, and true, 
specify empty trace and any well-formed trace respectively. For the primitive 
assertions, pt! and pt?E specify singleton events, where pt!E represents 
sending message F to pt and pt?E says receiving E from pt; boolean ex- 
pression holds only if it is true over the state. In the semantic definitions, 
01 J o2 represents the conjunction of two separated states, where 0, and 
o2 are required to have separated traces; 01 © a2 is the conjunction of se- 
quential states which have sequentially connected traces. For the composite 
assertions, p * q says p and q holds over separated states; po q holds over 
sequential states; p* specifies traces that circulated for a finite times, where 
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P¥d74d*D po(qgor)S(poqgor (pxqg)or>(por)xq POI>P*4q 


po(q*r) => (poqg)*r (ri * pr) o (r2 * p2) > (71 9 r2) * (pi O pa) 


Pure(p) or Pure(q) Pure(p) or Pure(q) 
poqsapr|g P*¥aePAG 


Pure(p) Pure(r) Pure(q) 
pA(qor)=(pAgo(pAr) po(qAr)s+(pogAr (pAg)ors(por)Ag 


Figure 8: Selected Proof Rules 


o* is the state that have a static store s and its trace has a sub-trace that 
repeatedly appears. 

We also define pure assertions like in the Separation Logic. Syntactically, 
pure assertions do not contain any trace predicates. 


Definition 3 (Pure Assertion) Assertion p is pure, Pure(p), iff the va- 
lidity of p does not rely on the state of the trace, i.e., 


if (s,tr) Ep, then for all tr’, (s,tr’) Kp. 


Fig. 8 lists some selected proof rules, which are sound w.r.t. the 
semantics. 


5 Inference System 


In this section, we introduce our inference system, which is a separation-based 
system for reasoning distributed programs. 


5.1 Syntactic Control of Well-formedness 


The inference rules are given in Fig. 9 and Fig. 10. In order to avoid tedious 
side conditions, Syntactic Control of Interference (SCI) [18] is adopted here. 
There are two syntactic context: Oyar for variable context, and Oport for port 
context. 


Ovar = 11, %2,0%3,... Oport nS pti, pt2, pts,... 


Ovar denotes the ownership of a set of variables, and Oyar, O/,, is the conjunc- 


tive ownership of two separated sets of variables. Oport is a set of port names, 
which specifies the access permissions of ports. If pt € Oport, the current 
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agent can withdraw messages out of pt, and other agents can only send 
messages to pt. For simplicity, we consider full permissions. It is possible to 
extend this definition with fractional permissions [17] as well. 

SCI specifies the well-formedness of expressions, assertions, and pro- 
grams. A variable/expression/assertion is well-formed, if and only if all 
its free variables are within the scope of a syntactic context. We use 
Ovar / « Var/E Exp/p Assert to represent them respectively. The well- 
formedness of a program (command), Oyar; Oporr / C Comm, can be defined 
by the following selected rules: 


Ovar & Var Ova + & Exp 
Ovari Oporr F Skip Comm — Oyar; Oport F & = LK Comm 


Ov EF xv Var Ovar F E Exp pt ¢ Oport 
Ovari Oport, pt F x := reev (pt) Comm — Ovar; Opornr F send (EL, pt) Comm 


Ova B Exp Ovar; Oport F C Comm 
Ovari Oport - while B do C Comm 


A well-formed assignment, x := E, requires the ownership of x; x := recv (pt) 
requires full permission of 2 and pt € Opon; and well-formed receive action, 
send (xz, pt) requires pt ¢ Oport- That means a thread can only receive 
messages from the ports that it owns, or send messages that it doesn’t own 
(the ports of others). We don’t list all the rules, because other rules are 
straight forward. 

A syntactic context can be weakened by extending Oyar: 


Ovar E Exp Ovyar F p Assert Ovari Oporr F C Comm 
O vars oan LEExp Ova,O.,,¢p Assert Ovyar, 0% port /$ C Comm 


var var? 


5.2 Program Specification 


The specification of a message-passing program takes the form as: 
Ovar Oport r 1% p} D ae qh 


It specifies the partial correctness of D: if D starts from a pre-state satisfying 
r*p, where r for the environmental state and p for the local state, then 
D will not abort, and when D terminates, if the environment satisfies r’, 
the local state satisfies q. If D contains only one agent, e.g., 7: C, the 
specification can be written as: 


Cyan Oport Fy ae p} C {r'’, qh 
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LE Ove pt€ Opor «x ¢ freeVar(r) U freeVar(p) 
Ovar, X;Oport Fi {r,p} x := reev (pt) {r,po pt?X Ac = X} 
LE Ovar pt ¢ Oport 
Ovar, Oport iy 1 p} send (x, pt) {r,p ° pt\a} 
Ovar’ Oport i {r, p} Ci Cane Ovar} Oport a {r’, p’} C2 {rp} (SEQ) 
Ovar; Oport Re 1r, p} Ci; Cy tae p'} 

Ovar; Oport iy {5 (p A B)} Ci fr", q} Ovar; Oport ry {%, (p A —=B)} Cy tae q} 

Ovar; Oporr Fi {r,p} if B then C; else C) {r’, gq} 
Ovar; Oport ry {r*,p" A Bh C <e SD} 
Ovar} Oport Fi {7*, p* } while B do C {r*, p* \ —B)} 


(RECV) 


(SEND) 


(IF) 


(WHILE) 


Figure 9: Selected Inference Rules — Basics 


It is innovative that we syntactically separate the pre- and post-conditions 
into two parts: one assumption for the environment, and one specification 
for the local state. In the precondition, r is the environmental assumption 
before the execution, and p specifies the local pre-state. During execution, D 
may receive (send) messages from (to) the environment, so we can calculate 
the post-assumption of environment from D’s local requirements. When D 
terminates, its environmental assumption becomes r’ and local state becomes 
q. Clearly, the trace specified by r’ and q will not be shorter than r and p. 

Note that we always consider well-formed triples in this paper. That is, 
for all expressions, assertions and programs in a tuple, they are implicitly 
required to be well-formed. 


5.3 Reasoning Rules 


In Fig. 9, the rule (RECV) for receiving commands is straightforward, where 
freeVar(e) returns the set of all free variables in e. In this rule, variable X 
is a fresh logical variable to represent the message received by the current 
agent. No environmental assumption should be made at this stage. The 
rule for send event is similar. Note that no agent can send messages to itself 
(pt € Oporr). Both (SEQ) for sequential composition and (IF) for conditional 
are trivial. (WHILE) is normal too, where each iteration should maintain the 
validity of loop invariant {r*,p*}. Other rules, which are used for structural 
reasoning, are defined in Fig. 10. 


Definition 4 (Environmental-aided Implication) Environmental-aided 
implication, written as p => p', implies p' from p with an extra coupled trace 
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pov Ba OvariOpor t {r,p'} D{r',q'} 
Ov Over {isp} Dir a) 

Tr fer Ola Oport {r,p} D {r’, q} 
Ovars Opors  {71,p} D fre, a} 


Ovar; Oport F {r, p} D {ri, at Ovar; Oport I> {r, p} D {re, qo} 
Ovar3 Oport F {r, p} D {rt Vre,q V qo} 


Ovar3 Oport F {r, p} D {ri, at Ovar; Oport F {r, p} D{ro, qo} 
Ovar3 Oport F {rp} D {r1 Ar2,q1 A qo} 
Ovari Oport + {r,p} D {r',q} Ol,” Assert notlnterfere(r”, Oport) 


var 


Ovar, Os Oport rs {r * rp} D fi * C4 q} 
Ovari Oporr + {r,p} D {r’,q} Oj, Ep’ Assert _notinterfere(p’, Oport) 


var 
Ovar; Os Oport rf {r,p * pt D re qd * p} 
Ovar; Opore + {r,p} D{r’,q} Ola Fr” Assert 1’ oX0,,. 9 


var 


Ovar, Glme Oport F {r, p} D {r’ ° if qt 
Ovari Oport F {7,P} D{r',q} Ova F rp’ Assert 1” Ose DP” 


var 
Ovar; Ons Oport F aad or, p ° ps D i ° ep. ° q} 
Ovar1; Oport, F fempy,, Pi} Di {ri,a} ers re*ry  notinterfere(ry, Oport,) 
Ovar2; Oporty F {EMP;,, P2} D2 {r2,q2} qa*r>ri*r;  notinterfere(r), Oport; ) 
Ovar1, Ovar2; Oport} 5 Oports F {empy,, P1 * po} D,||D2 18s qi * qa} 


(CONSEQ-A) 


(CONSEQ-B) 


(DISJ) 


(CONJ) 


(FRM-ENV) 


(FRM-LOC) 


(FRM-BHD) 


(FRM-AHD) 


(PAR) 


Figure 10: Selected Inference Rules — Others 


r. It is true when Vo. = (s,tr1), 02 = (s, tre): 


o1*0g ErxpAoy ErAog-Ep ) 
. => = 

A Ve € tra - isRecv(e) = e.src € dom(tr1) mFP 
Def. 4 enables local deduction (p => q) with the extra knowledge about 
environmental state (r). Particularly, all receives in the local state should 


match with some sends in the environment. For instance, we have pt?.X Las 
X = 2, while pt?X * pt!2 > X = 2 is not true since * does not enforce 
send-receive matches in the trace. 

In Fig. 10, there are two rules of consequences. (CONSEQ-A) adopts 
environmental aided implication for local deduction. To weaken a specifi- 
cation, we can either strengthen its local precondition, or weaken its local 
post-condition. (CONSEQ-B) is for the environmental state. Different from 
(CONSEQ-A), it only allows strengthening the assumption of environment, 
either at precondition or postcondition. These two rules are usually applied 
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together with rule (RECV). (RECV) makes no assumption about the mes- 
sage received. Using (CONSEQ-B), the current agent can make assumption 
for the received value by strengthening the predicate in the assumption part. 
Then, by using (CONSEQ-A), we can deduce the local state with the aid of 
a stronger environmental assumption. 

Rules (DISJ) and (CONJ) allows combing bifurcated deductions. For 
(DISJ), the two post-assertions rely on different environmental assumptions, 
so if at least one of these assumptions is satisfied, the local state must 
satisfies q1 V gg. (CONJ) is similar that needs no more explanation. 

Our system supports spatial modularity, because it allows the proof of 
a local agent to be extended with a frame by x, as long as the frame does 
not interfere with existing proofs. 


Definition 5 (Non-Interference) For an assertion r, we say that r does 
not interfere with Opor, written as notInterfere(1, Oport), when: 


r => (trueg, * (pt! V pt?_) > pt € Oport) 


Predicate notInterfere(r, Opor) says that the trace specified by r does not 
interfere with Oport, that is, it does not send or receive messages via any 
port in Oport- 

The spatial modularity is described by rules (FRM-ENV) and (FRM- 
LOC) in Fig. 10. Rule (FRM-ENV) is the frame rule for the environment. It 
allows the environment to be extended with frame r”, as long as r” does not 
interfere with D, i.e., r’” must not race with r’ by sending messages to D; and 
not race with q by receiving messages form r’. Rule (FRM-LOC) is the frame 
rule for local state. If p’ does not contain any message passing predicates, 
this rule is reduced to the standard frame rule in SL. If p’ contains some 
message passing events, it must not interfere the existing communication 
between r’ and q. 


Definition 6 (Hooked Assertions) Assertion p is hooked with q by Oport, 
which is denoted as p™0O,, 9, iff for any trace tr such that tr = p*q, any 
event e € dom(tr), and any port pt € Oport, the following conditions hold: 


isSend(e) A e.port = pt = de’ € dom(tr)- e’.src =e, and 
isRecv(e) A e.port = pt = de’ € dom(tr) - e.src = e’. 


Intuitively, p ™o,,, q says that for any trace tr which satisfies p * q, there is 
no pending send or receive event that accesses ports in Oport. 
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Example 1 Let Opon = {pt}, posiSend = (AX-pt!X AX > 0)*, posiRecu = 
(AX - pt?X A X > 0)*, we will have 


e posiSend &o,,, posiRecu does not hold, and 


port 


e (posiSend o pt!0) XO, (posiRecu o pt?0) holds. 


Here posiSend is a sequence of events sending positive numbers, and posiRecv 
is a sequence of events receiving positive numbers. These two assertions are 
not hooked, because there may exist pending events in posiSend. However, 
the second pair above is hooked, since each sequence is appended with a 
sentinel 0 at the end, which enforces each send to be paired with a receive 
and vice versa. 


There are some rules for hooked assertions, which are useful for program 
reasoning. 


P1 Oper W1  P2 Opore Y2 Pi ° P2 Opot 91°92 PI MlOpor V1 
P1 O P2 POport G1 © G2 P2 Oper 92 

P1 Oper G1 P2 Opore Y2 Pi * P2 Oper W1 * 92 P1 Opn V1 
Pi * P2 POport G1 * G2 P2 POport 92 


With the definition of hooked assertion, we support temporal modularity 
as well, that is, we allow a trace to be connected ahead or behind of 
current trace. Temporal modularity is supported by rules (FRM-BHD) and 
(FRM-AHD). Rule (FRM-BHD) allows appending an extra r” to the end 
of environmental assumption. To ensure soundness, r’ should be hooked 
with q’ so that the extra trace r” in the environment should not affect the 
behavior of existing trace g. Rule (FRM-AHD) allows appending the frame 
r" «xp! ahead of the current trace, where r” is added to the environment, and 
p' is added to the local trace. The two assertions must be hooked together 
so that they do not affect the communication of later traces. This rule can 
be applied when proving sequential composition in programs. 

Informally, in order to prove C1; C2, we can prove C; and C2 indepen- 
dently in the first to get, e.g., {71, p1} Ci {r}, p } and {emp,;,, emp;, } C2 {rh, pb}. 
By applying (FRM-AHD), C2 satisfies {r{,, p} C2 {r{, or, pi oph}. Therefore 
by rule (SEQ), the conjunct program can be specified by {r1, pi} C1; C2 {rj 0 
75, Ph © Po}. 

Rule (PAR) is for parallel composition of separated agents. For D,||Do, 
the local trace of D, becomes the environment of D2, and vice versa. In the 
rule, r is the environment of D,; and D2. Informally, D,’s environment is 
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r * traceOf(D 2), and D2’s environment is r * traceOf(D1)°. q, *r > ro * rh 
ensures D’s environment is satisfied; and qo * r => r1 * it ensures D,’s 
environment is satisfied. 


6 Semantics and Soundness 


From the view of a local agent, state transitions could be caused either by 
itself or by other agents. We use (D,c) x (D’, 0’) to represent the transition 
of a local agent, where \ € {e,1}, e denotes the transition caused by the 
environment, and | denotes the transition caused by the agent itself. 

Consider the configuration of an agent (7: C,s,tr), where the domain 
of s is the set of variables owned by 7. From its local view, the local state 
includes store s, and local event trace (a sub-state of tr), and environmental 
event trace (the other part of tr). Local event trace of agent i contains all 
events e in tr where agent(e) = 7. 


Definition 7 (Trace Projection) tr | {i1,...,im} projects tr to the local 
trace of agents {i1,...,im}: 


(tr | fir, --sim})(€) = 
tr(e) e € dom(tr) A agent(e) € {71, ...,im} 
undefined otherwise 


Definition 8 (State Projection) Let D = i; : Ci||... |lim : Cm be a 
distributed program, then for any state o = (s,tr), we define the local state 
and environmental state for D: 


def : : 
G10." == sb [Ait ate) 
cew © oof if ¢=clocwo! 


State projection separates a state into local and environmental parts: 
g.loc is the local state for agents in D; and o.env is the environmental state. 


Lemma 1 For any transition (D,c) a (gs 
e ifX\=e, then D=D' Ac.loc =o’ loc 


e if \X=l1, then o.env = o’.env 


StraceOf(D) is an informal operator that returns the trace state of program D. 
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In Lemma 1, the first property says the environment could not affect the 
state of local resource; and the second property specifies that local state 
transition would not affect the current environmental state. 


Definition 9 (Semantics) Ovar; Opor - {r,p} D {r’,q} holds, iff for all o 
such that o.env FE r A o.loc — p, and if the followings are true: 


° (D,c) *(skip’, 0’); 


e o’.env E71’. 


Then o’.loc — q. 


Intuitively, definition of Oyar; Oport F {r,p} D {r’, q} says that D starts 
from a state o - rp, where r specifies the state of environment, p specifies 
local state. Then if the D terminates at the state o’, that o’.env E 7’, then 
o’.loc — q. 


Theorem 3 (Soundness) [f the specification of D is Ovar; Opore F {7,p} D {r', g}, 
then Ovar; Oport = 15 p} D ae q}. 


The soundness is proved by induction over reasoning rules. By proving 
the soundness for each rule, the theorem follows by a straightforward rule 
induction. Detailed proof of this theorem is available online [12]. 


7 Non-determinism: A Case Study 


The difficulty for understanding a concurrent program lies on non-deterministic 
inter-thread interleaving, for both shared memory and message-passing mod- 
els. 

In our setting, since each port belongs to one agent, all receive events 
on a port are therefore deterministically ordered by the syntactic program 
order. In this circumstance, non-determinism is only caused by send events 
to the same port which come from different agents, because these events are 
not ordered by the happens-before relation. 

Consider the following example: 


x := recv (pt); 


send (2, pt); || send (3, pt); || y := recv (pt); 


“Here the skip represents that the code of each agent in D is the skip. 
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The program consists of two senders (two agents which send messages, 
namely sender; and senderg) and one receiver (receiver). The final state 
of the receiver could be either x = 2Ay=3 0rzr=3Ay = 2, since the 
two sends do not have a determined order. This program can be proved by 
different ways based on associativity: either by (sender, || senderg) || receiver, 
or by sender, || (senderg || receiver), or senderg || (sender || receiver), where 
the later two possibilities are quite symmetric, thus we will consider only 
the first two cases below. 

For the first case, the post-condition of two senders, sender, || senderg, 
is: 

1. {emp,,, pt!2 * pt!3} 

Note that the two send events are unordered, so they are connected by «x. 

For the receiver, the proof takes the similar form as the proof example 
in Section 1, we can prove the following two specifications: 


2. {emp,, EMPe, } 4. {empy,, EMPe, } 
x := recv (pt); xX := recv (pt); 
y := recv (pt); y := recv (pt); 


3. {pt!2 0 ptl3,4 =2Ay=3A truer} 5. {ptldoptl2.c =3Ay = 2 A truce} 


Applying rule (DISJ) to the two deductions, the post-condition for the 
receiver is: 


6. {pt!2 0 pt!3 V pt!3 o pt!2, ((c =2Ay=3)V (wx =3Ay = 2)) A true} 


Since pt!2 « pt!3 => (pt!2 o pt!3 V pt!3 o pt!2), the environmental part of 
line 6 is satisfied by the local state of line 1. By parallelling line 1 and 6, we 
have: 

7. {emp,,, ((@ =2ZAg=3)V @H=sAy—2)) A Deg} 


Line 7 is the specification of the whole system. It depicts the two possible 
post-conditions for the program. 

Another proof is based on the second associative form, which combines 
the receiver with a sender first. We present a proof for the receiver first: 


8. {emPe,, EMPy, } 
9. {pt!2 « pt!3, emp;,} 
x := recv (pt); 
y := recv (pt); 
10. {pt!2 * pt!3, pt?X opt?¥Y Ax =X Ay=Y} 
11. {pid « pild, (= ZA VHS) ¥ (2S SAY = 2h) A trug,} 
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Line 9 is obtained by line 8 by assuming two unordered send events in the 
environmental state. Line 11 comes from line 10 according to environmental 
aided deduction: there are two possible post-conditions for the value of x 
and y. 


The post-condition of one sender is {emp,,, pt!3}. According to rule 
(PAR), the sender needs to conjoin with another environmental assumption, 
which is pt!2 here, in order to satisfy the environmental state of line 11. By 
rule (PAR), we can parallel compose the sender with the receiver and have 
a resulted post-condition: 


12. {ui2, ((2=2Ag=3)V (2 =FA y= 2)) A tridy} 


The other sender can satisfy the rest of the assumption in line 12, which 
results in the same post-condition as line 7. This step is similar and thus 
omitted. 


The examples shows the usage of our logic to reason the systems 
that exhibit non-deterministic behaviors. The local thread only needs to 
assume unordered send events in the environment, which will result in non- 
deterministic local state from environmental aided deduction. The proofs for 
a program can be various depending on different association among threads. 


8 Example: Filters 


Filters form a common class of distributed systems. A filter is an agent that 
receives messages from one or more ports and send messages to some other 
ports. In this section, we prove a filter example — Merging Network. 


Fig. 11 (upper part) shows the architecture of a merging network. Each 
agent in the network is a filter that merges two monotonic positive streams 
into one monotonic stream, and 0 marks the end of streams. Fig. 11 (lower 
part) shows an implementation of agent 5. Here each port takes a unique 
ID, and k@i denotes port k of agent 7. 


Agent 5 owns two variables and two ports, and is sequentially composed 
by three while loops. As the proof of the trivial example in Section 1, we 
prove these loops separately and then sequentially compose these independent 
proofs together. 


Rely-Guarantee Modular Based Reasoning for 


Message-Passing Programs 241 
—[Port! ‘@. 
— aT ‘. _— ‘o 
A 5 
el - er ™ ES Port? |~ 
— Pore 2 |~ —>| Port: | ee Port:2 |~ 


—[Port:2 |~ 


agent5 () { 
vi = recv (105); ve = recv (205); 
while (vi #0 A ve 4 O){ 
if (vi > ve) {send (v2, 206); v2 := recv (2@5);} 
else {send (vi, 206); vi := recv (105); }} 
while (vi # 0) {send (v1, 2@6); vi := recv (2@5);} 
while (v2 # 0) {send (v2, 2@6); ve := recv (1@5);} 
send (0, 2@6); 


} 
Figure 11: Merge Sort 


For clarity, we define the following predicates to simplify descriptions: 


mono(pt) e (truer, * pt!X) o (true, x ptlY) > 0< X <Y 
monoEnd (pt) ae mono(pt) o pt!0 
large(var) in - (true, * 2Q6!n => var = 0V var > n) 
eqLast(pt, var) = true, o pt?X => var = X 


mono(pt) says the environment sends positive monotonic messages to pt, and 
monoEnd(pt) additionally says the stream has ended; large(var) says var is 
either larger than any message that previously sent to 2@6 or equal to 0; 
eqlast(pt, var) says var equals to the last message that received from pt. 
Fig. 12 lists the proof for the first loop. Line 1 is the loop invariant. 
It assumes that the environment send monotonic streams to 1@5 and 2@5, 
and its local trace is a composition of some receive events of that two ports 
and a set of monotonic sends to port 2@6. Line 2 is obtained from line 1 by 
conjoining the boolean condition of the while. Line 3 falls into a branch of 
the if statement. In this branch, the agent sends vg and receives messages 
from 2@5. Therefore, we treat some assertions about v; and 1@5 in line 2 as 
frame, and line 3 is deduced by framing out those irrelevant traces. Line 4 is 
the same as line 3, because according to large(v2) A vo 4 0, v2 is larger than 
any message that was previously sent to 2@6, so mono(2@6) holds in line 
4; also since v1 > vo, large(v1) remains to be true in line 4. The deduction 
from line 4 to 5 is also the standard local deduction. Deductions for the 
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1 monoEnd(1@5) « monoEnd(2@5), A large(v1) A large(v2) 


(1@5?_)* *« (2@5?_)* * mono(2@6) 
A eqLast(1@5, v1) A eqLast(2@5, v2) 


while (vz; AOA vo 4 O){ 


2 monoEnd(1@5) « monoEnd(2@5), A vo 4 0A large(vz) A large(v2) 


(1@5?_)* * (2@5?_)* * mono(2@6) Av; 4 0 
A eqLast(1@5, v1) A eqLast(2@5, v2) 


if (vi > va){ 


(2@5?_)* * mono(2Q6) A large(v1) A large(v2) 
2 { monotind(205) A eqLast(2@5, v2) A v1 > v2 > 0 
send (v2, 206); 
(2@5?_)* « mono(2@6) A large(v1) A large(v2) 
. { monotnd(225), A eqLast(2@5, v2) A v1 > v2 > 0 
vo := recv (2@5);} 
5 {monoEnd(2@5), (2@5?_)* * mono(2@6) A large(v1) A large(v2) A eqLast(2@5, v2) } 
else{ 


send (v;, 206); 
vi := recv (1@5);} 


(1@5?_)* « (2@5?_)* * mono(2@6) 
6 monoEnd(1@5) * monoEnd(2@5), A (v1 = 0 V ve = 0) A large(v1) A large(v2) 
A eqLast(1@5, v1) A eqLast(2@5, v2) 


Figure 12: Proof of the First While-loop 


other branch are symmetric and thus omitted. Line 6 is obtained from line 
5 by conjoining with the frame that was put aside in line 3. 

Proof of the second loop is given in Fig 13. Line 7 is obtained from line 
6 by framing out irrelevant assertions about 2@5 and adjoining the boolean 
predicate that guarded by the loop. The proof from line 7 to line 8 is just 
local reasoning as the proof from line 3 to 5. Line 9 is obtained by conjoining 
the frame of line 7 back to the post-condition. The third loop is symmetric 
with the second, and therefore we omit its proof. 

The sketch of the overall proof is given in Fig. 14, where we only present 
the assertions at the critical places, e.g., the position where a framework is 
put aside or taken back. As we have already discussed, the overall proof is 
obtained by sequentially conjoining several separated proofs of some locally 
connected commands. The post-condition says that if the environment send 
monotonic streams to the two ports of agent 5, then the agent will send 
monotonic streams to 2@6. 

Note that the specification of agent 5 can be joined with the specification 
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while (v, 4 0){ 
(1@5?_)* * mono(2@6) Av; AOA ve = 0 
‘ MONO AO TEE, A large(v1) A eqLast(1@5, v1) 

send (v1, 206); 

vi := recv (2@5); 


(1@5?_)* « mono(2@6) A v2 = 0A large(v1) 
8 { monotnd(15), AeqLast(G5, 1) 
i 


2 \* 2 \x 
9 { monotnd( 195) * monoEnd(2@5), oy ny + a) 


Avi =O0Av =0 


Figure 13: Proof of the Second While-loop 


of other agents, just like the proof of the tiny example in Section 1. It is 
feasible if other agents take different algorithms as long as the assumption 
of agent 5 is satisfied. 


9 Example: Leader Election 


Assume there are n agents that are connected in a ring. We count them mod 
n, then 0 is another name for agent n, 2 +1 is another name for agent 1, etc. 
Each agent 7 holds a unique fixed positive integer token; and a local boolean 
variable ld; whose initial value is false. When the program terminates, the 
agent who has the biggest token wins, and its local variable /d; is set to true. 

Since each agent has only one port, we reuse agent ID as port ID. The 
program is given in Fig. 15. Each agent sends its token following the ring at 
the start and then goes into a loop. When an agent receives an incoming 
token, it compares the token with its own. If the incoming token is greater, it 
keeps passing the token; if the token is less, it discards the incoming message 
by doing nothing; if it is equal to its own, the agent sends out 0 to claim the 
leader has been chosen, and all agents terminate after 0 has past around the 
ring. 

We use maxtk(i,7) to represent the largest token from agent i to j 
(including both i and j). Assertion p(i) says if agent 7 sends token; to the 
next, then token; is the largest token from j to 7: 


p(t) a Vj + (i+ 1)!token; = token; = maxtk(j, 7) 


Note that token; is not a variable, but is a predefined constant, thus all 
maxtk(j,7) are constants as well. 
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agent5 (){ 
{emp,,, empi,} 
vi = recv (1@5); 
vg = recv (2@5); 
{1Q@5LX * 2@5!Y, 1@5?X 0 2@5?7Y Av, = X Avg =Y} 
{monoEnd(1@5) * monoEnd(2@5), 1@5?X 0 2@5?Y Av; = X Avg =Y} 
(1@5?_)* * (2@5?_)* « mono(2@6) 
monoEnd(1@5) « monoEnd(2@5), A large(v1) A large(v2) 
A eqLast(1@5, v1) A eqLast(2@5, v2) 
while (vj; 40 A vo # 0){ 
if (vy > vo){send (v2, 206); vo := recv (2@5);} 
else{send (v,, 206); vi := recv (1@5);} 


} 
(1@5?_)* * (2@5?_)* « mono(2@6) 
monoEnd(1@5) « monoEnd(2@5), A (vu; = 0 V v2 = 0) A large(vi) A large(v2) 
A eqLast(1@5, v1) A eqLast(2@5, v2) 


while (v, 4 0){ 
(1@5?_)* * mono(2@6) Av; AOA ve =0 
{ monotind(195). A large(v1) A eqLast(1@5, v1) 
send (v;, 206); vy := recv (2@5); 
{monoEnd(1@5), (1@5?_)* * mono(2@6) A v2 = 0 A large(v1) A eqLast(1@5, v1) } 


while (vg # 0){send (v2, 206); vo := recv (1@5);} 

{monoEnd(1@5) * monoEnd(2@5), (1@5?_)* « (2@5?_)* * mono(2@6) A vy = 0A v2 = 0} 
send (0, 206); 

{monoEnd(1@5) * monoEnd(2@5), (1@5?_)* * (2@5?_)* * monoEnd(2@6) } 


Figure 14: Proof Sketch of Merge Sort 


We are expected to prove that for any agent i, if the local variable 
ld; = tt, then agent i holds the largest token around the ring. We use 
predicate valid(/d;) to specify the status of ld;: 


valid(Id;) “ Id; = tt + token; = maxtk(1,n) 


The system should satisfy the following tuple: 
{emp;,, Vi - valid(Id;) } 


Note that valid(/d;) always holds when Id; = ff. 
Proof of one agent in the program is given in Fig. 16, where we have 
proved the following triple: 


{emp;,, emp;, } agents {p(t — 1), p(z) A valid(Id;)} 
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agent, (){ 

ld; := ff; 

send (token;, i+1); 

tk, := recv (i-1); 

while (tk; 4 0){ 
if (token, < tki){send (tk,, i+1);} 
if (token, = tki){ld; = tt; send (0, i+1);} 
tk; := recv (i-1); 


} 


if (1ldj = ff){send (0, i+1);} 


i 


Figure 15: Leader Election: Program 


From the triple, we proved that the local state of each agent satisfies the 
environmental assumption of the next agent. Since all agents are connected 
in a circle, so the system is self-satisfied, and we can easily have the following 
specification using (PAR) rule: 


{emp;,, emp;, } agents || ... || agentn {emp,,, valid(Id;) A... A valid(/d,,) } 


Therefore, in the post-condition, each thread in the system holds a valid 
boolean. If a boolean is tt, the agent must have the largest token around 
the circle. 

Leader election is a classic algorithm that has been proved by many 
others. However, the most distinguished feature is that our method can 
directly prove upon the real code, rather than mathematical abstractions and 
auxiliary lemmas. Besides, the system is proved modularly: each agent is 
proved against its local environmental reliance, and the parallel composition 
ensures the system to be self-contained. 


10 Related Work and Conclusions 


Now we summarize some related work, and then give a conclusion. 

Program verification has been studied from various standpoints for 
decades. Verification of concurrent systems is especially interesting because 
of their inherent non-determinism. 


Process Calculus. For the message-passing models, there exist many 
well-known works on process calculi, e.g., CSP (Communicating Sequential 
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agent, () { 
{emPz,, €MPe, } 
ld; := ff; 
{emp,,,emp,, A ld; = ff} 
{emp;,, emp,, A valid(id;) } 
send (token;, i+1); 
{emp,,, (¢ + 1)!token; A valid(Id;) } 
tk, := recv (i-1); 
{emp,,, (i + 1)!token; o (i — 1)?X A tk; = X A valid(Id;)} 
{p(t — 1), p(i) A (true, o (i — 1)?X) A tk; = X A valid(Id;)} 
while (tk; 4 0){ 
{p(t — 1), p(t) A (truer, o (¢ — 1)?X) A tk; = X A X #0 A valid(ld;)} 
if (token; < tki){ 
{p(t — 1), p(t) A (truer, o (i — 1)?X) A thy = X A X > token; A valid(ld;) } 
send (tki, i+1); 
{p(t — 1), p(t) A valid(id;) } 


if (token; = tki){ 
{p(t — 1), p(t) A (truer, o (i — 1)?X) A th; = X A X = token; A valid(ld;) } 
{p(t — 1), p(t) A tk; = token; A token; = maxtk(é + 1,7)} 
1d; = tt; 
{p(t — 1), p(t) A tk; = token; A token; = maxtk(i + 1,7) A ld; = tt} 
{p(i — 1), p(z) A valid(id;)} 
send (0, i+1); 
{p(i — 1), p(z) A valid(id;)} 

} 

tk; := recv (i-1); 

{p(t — 1), p(i) A (truey, o (i — 1)?X) A th; = X A valid(id;)} 


{p(t — 1), p(t) A (trueg, o (é — 1)?0) A tk; = 0 A valid(id;)} 
if (ld; = ff){send (0, i+1);} 
{p(t — 1), p(2) A valid(id;)} 


Figure 16: Leader Election: Proof 


Processes) [7], CCS (Calculus of Communicating System) [13], 7-calculus [15], 
and KPN (Kahn Process Network) [9]. However, those algebraic systems 
focus mainly on the agent behavior deductions and equivalence, e.g., bi- 
simulation. It is not very clear how to apply those calculi to modularly 
specify and reason the properties of local states of the agents, which are 
written in real code and defined with stated-based semantics. The later is 
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the main focus in this work. 


Separation Logic. Recently there is a clear trend that concurrency verifi- 
cation should support better modularity and locality, in order to verify larger 
systems. Modular verification of shared memory models has gained much 
progress since the development of the Separation Logic [19]. Separation Logic 
treats the program state as resource, and modularity is achieved by curving 
irrelevant resource (namely the frame) out of current state and conjoining 
the frame back when merging the local state back into the environment. In 
considering shared memory concurrency, a typical idea is to take the state of 
memory (heap) as the resource, which is a mapping from locations to values. 
In the reasoning, a portion of memory could be curved out or merged back, 
as well as transferred between the agents, those make the inference modular. 

However, in the message-passing model, event traces are, unlike heap, 
well-organized structures that associate with many add-on restrictions, e.g., 
acyclic, send-receive match, etc. The complexity of trace structures impedes 
state-based Hoare type reasoning. The challenge (and also a shining spot 
of our paper) is to structurally specify event traces so that local reasoning 
could be achieved by curving out irrelevant events, as in other Separation 
Logic related works. Our framework solves this problem by introducing two 
operators to depict the separation of traces, so that the traces could be either 
separately connected or temporally connected; and introducing four frame 
rules, so that frames could be added in four ways: adding in environmental 
or local trace, or adding ahead or behind of the current trace. These make 
our system flexible and powerful. 


Rely-Guarantee Based Reasoning. Rely-Guarantee (RG) reasoning 
was developed in 1980th [8]. In RG, a pair of Rely and Guarantee conditions 
are used to regulate the behaviors of the portions of the verified programs. 
The rely condition specifies the agents’ local assumption on the environmental 
interferences, and guarantee condition is agents’ interference upon other 
agents which form its environment. There are some limitations of the regular 
RG reasoning. In the first, the RG conditions are global and permanent, 
this requires a detailed understanding of the program to be proved prior any 
deduction. Second, the stability requirement of pre/post-conditions will also 
inhibit its accessibility. 

RG reasoning has been extended with Separation Logic for verifying 
concurrent systems towards better modularity. The notable works in this 
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direction include Vafeiadis et al. [20] and Wehrman et al. [22]. Many inter- 
esting concurrent programs have been verified that show the power of the 
marriage of the RG reasoning with the Separation Logic. However, these 
works all target the shared memory model. 

Our system gets clearly some ideas from RG. However, comparing with 
the regular RG reasoning (that applies also to the most recent works in this 
direction), ours has some innovations: (1) The rely condition of RG should 
be pre-defined and fixed, here we can dynamically determine, calculate and 
alter the environmental assumption. (2) Our environmental assumption is 
hidden once it is satisfied by other agents, rather than remained permanently 
as RG reasoning. This makes better modularity in the reasoning. (3) 
In RG reasoning, pre- and post-conditions are required to be stable, i.e., 
the assertions should remain valid no matter how environment interferes. 
Stability is a rather strong requirement that requires thoughtful assertion 
definitions. In our system, this requirement is also eliminated, that makes 
the reasoning process easier. 


Other Works. W. de Roever et al. [4] published a book which made 
an excellent summarization with good coverage of previous works on the 
state-based verification of concurrent programs. The leading theme of the 
book is compositional techniques for concurrency verification. The book 
makes a comprehensive discussion about verification of both shared memory 
and message-passing models, and clearly, our work can be viewed as a new 
development on the same theme. However, there are some fundamental 
differences and contributions that distinguish our logic from W. de Roever 
et al.’s and many others: (1) by our limited knowledge, although Lamport’s 
trace semantics has been proposed for decades, there is no state-based 
reasoning system defined based on this semantics; (2) the two-dimensional 
(temporal and spatial) modularity of our work, which is a benefit extracted 
from Lamport’s semantics, has not been clearly touched by others; (3) our 
logic directly reason about imperative programming language, rather than 
some high level mathematical descriptions. 

There are also many other works aiming at specifying and reasoning 
message-passing programs based on trace semantics. For instance, Bickford 
et al. {1] formally defined the event trace structures, and gave a minimal set 
of axioms for trace reasoning. Comparing with other trace-based reasoning, 
including Bickford’, ours supports better modularity, and allows directly 
reasoning over existing code modules and conjoining separated proofs based 
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on several explicit conditions. 

Villard et al. [21] proposed a separation-based logic for copyless message- 
passing models. One feature of their work is the support of ownership transfer. 
It is possible to extend our logic for ownership transfer, e.g., by adding the 
notion of “resource” for each agent and specifying those transmitted resource 
inside environmental assumptions. However, this solution is similar with 
Concurrent Separation Logic [2], and will not be able to provide much 
theoretical innovation. In another aspect, Villard’s method is still defined 
based on the shared memory model, while ours is for pure message-passing 
systems. 


Conclusion and future work. 


We propose a compositional reasoning system for verifying distributed pro- 
grams with asynchronous message passing. The work inherits and integrates 
some ideas from Separation Logic, Rely-Guarantee reasoning, and others, and 
archives very good modularity in both specification and verification. This 
reasoning framework exhibits two major contributions: First, we embody 
the concept of event graphs for distributed systems, and supports modular 
specification at both temporal and spatial dimensions. Second, we propose 
an innovative Hoare triple, which syntactically separates environmental and 
local assertions, to better specify and reason interactions between agents 
and the environment. We have applied this method to reason about some 
non-deterministic message-passing programs. The formal specification and 
verification of a filter network and a leader election algorithms are presented 
this paper. In the future, we will further test its applicability with more 
applications. It is also interesting to explore the possibility of building tools 
to automate the verification process. 
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